Snow Leopard to Prowl for Mac Malware?

Apple has reportedly built antimalware features into its upcoming Snow Leopard operating system. The feature apparently patrols for known Mac Trojans. Tight security is an oft-touted feature of Mac OS X, though users must still be wary of malware like Mac Trojans, which have been known to exist in the wild.

Apple has reportedly included antimalware technologies in Snow Leopard, which will go on sale Friday.

The news comes shortly after Apple released a fresh round of commercials indicating that the Mac, unlike PCs running Windows, is virus-free.

Mac security software vendor Intego's blog carried a screenshot showing the antimalware feature detecting a version of the RSPlug Trojan horse in a downloaded disk image.

Dan Goodin, writing in the Register blog, said the feature checks for only two known Mac Trojans, and has other limitations.

About the Antimalware

Intego said it's not sure how the antimalware feature works. It promised to post more information on its blog when it finds out.

Quoting someone who has tested the feature and requested anonymity because of the restrictions of a non-disclosure agreement (NDA), Goodin said a pop-up window warns users when they try to install applications that are malicious.

The feature apparently only detects two known Mac Trojans, RSPlug and iServices. Further, it flags them only if they were downloaded from the Internet using Entourage, iChat, Safari, Mail, Firefox and Thunderbird, Goodin's source said.

The feature does not detect malicious files downloaded using Skype and other Internet-facing applications, or files on DVDs and thumb drives, Goodin's source told him.

Does Apple Security Work?

On its Web site, Apple claims that Mac OS X delivers "the highest level of security through the adoption of industry standards, open software development and wise architectural decisions." This intelligent design prevents the viruses and spyware that sometimes plague PC users, it says.

Features include secure default configuration; a personal firewall; auto updates; encryption through the FileVault feature, which uses AES-128 encryption; and disk image encryption.

"Apple security's mostly worse than Windows Vista because it doesn't have full ASLR and DEP," he told MacNewsWorld. "We'll have to wait for Snow Leopard to see if it adds these features. If it does, it is at least comparable to Vista."

Let's Get All Technical

ASLR, or address space randomization layout, involves randomly arranging the positions of key data areas, including the base of the executable and the positions of libraries, heaps and stacks, in a process's address space. This prevents an attacker from easily predicting target addresses.

DEP, or data execution prevention, is a security feature that was introduced in Microsoft Windows XP Service Pack 2. It prevents an application or service from executing code from a non-executable memory region. This helps prevent exploits that store code through a buffer overflow.

"We wonder just how serious Apple thinks the malware threat is, especially since their latest Get a Mac ads highlight the fact that PCs running Windows suffer from viruses," Intego said.

Since leaving the National Security Agency, Miller has made a career out of cracking Apple's security. At the Black Hat 2009 security conference, he demonstrated that hackers can break into iPhones through the SMS protocol. Apple later issued a patch it said fixed the problem. He also hacked a Mac in about 10 seconds at CanSecWest 2009 in Vancouver, Canada, in March.

Both Intego and Miller have seen a pre-release copy of Snow Leopard but cannot comment, because they're under NDA until Friday, when Snow Leopard hits the shelves.

Ducking the Malware Firestorm

Apple has had to issue two security updates for Leopard, Snow Leopard's predecessor, this year.

However, Cupertino has been able to avoid major security problems because it has a relatively small share of the personal computing market, said Miller.

"If 90 percent of the world runs Windows, and I'm a bad guy who wants to make money with botnets and such, I'll spend 100 percent of my time on Windows since I can make the most money that way," Miller explained.

"So far, Apple has been able to achieve excellent security by obscurity," Laura DiDio, principal at ITIC, told MacNewsWorld. "It's not that Microsoft has poor security, it's just that, if you are the largest target out there and people keep pounding on you, sooner or later they'll get through."

If the reports that Apple has included an antimalware feature in Snow Leopard are correct, it's a smart move, DiDio said.

"Besides being a good tactical move from the technology standpoint, it's a good public relations move to show industry watchers, customers and resellers Apple's taking charge, it's being proactive and not letting the issue get ahead of it," she said.